Disable privileged access after 12 months without revalidation
Ensure privileged access is reviewed and renewed annually for continued access.
Plain language
This control ensures that people with special access to your computer systems regularly prove they still need it. If someone's access isn't reviewed and confirmed every year, it should be turned off. This matters because keeping tabs on who has special access helps stop bad actors from sneaking in unnoticed.
Framework
ASD Essential Eight
Control effect
Proactive
E8 mitigation strategy
Restrict administrative privileges
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Privileged access to systems, applications and data repositories is disabled after 12 months unless revalidated.
Why it matters
Not disabling privileged access after 12 months without revalidation increases the risk of misuse by former staff and unauthorised privileged activity.
Operational notes
Perform an annual privileged access revalidation; automatically disable privileged accounts that are not revalidated by the 12-month deadline and record approvals.
Implementation tips
- IT team should set up a tracking system to monitor when privileged access was last reviewed for all accounts. They can use a spreadsheet or specialised software to track this information.
- Security officer should define a process for reviewing and renewing privileged access each year. This could involve sending reminders to supervisors for revalidation of access rights.
- System administrator should regularly check user access logs to ensure that privileged access is disabled if not reviewed after 12 months. They can automate this check with software that flags accounts needing revalidation.
- HR department should notify IT of any significant staff changes, such as departures or role shifts, to trigger an immediate review of their privileged access.
- Security manager should train staff on the importance of access reviews for privileged accounts and include this training in onboarding and annual refreshers.
Audit / evidence tips
-
AskHow do you ensure privileged access is reviewed annually?
GoodThe organisation provides a documented schedule and records showing annual review and approval dates for each account with privileged access
-
AskWhat happens if privileged access is not revalidated after 12 months?
GoodThe policy states that privileged access is automatically disabled if not revalidated within 12 months
-
AskHow does the organisation track the last review date for privileged accounts?
GoodThere is a clear tracking system in place, showing review dates with alerts for accounts that need revalidation
Cross-framework mappings
How E8-RA-ML2.1 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.18 | E8-RA-ML2.1 requires privileged access to be disabled after 12 months unless revalidated | |
| Annex A 8.2 | E8-RA-ML2.1 requires privileged access to be disabled after 12 months unless revalidated | |
| link Related (1) expand_less | ||
| Annex A 5.15 | Annex A 5.15 requires access control policies and procedures that define who may access information and systems and under what conditions | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| ISM-1507 | ISM-1507 requires privileged access requests to be validated when first requested, ensuring initial approval is legitimate and authorised | |
| ISM-1843 | ISM-1843 requires an annual review of AD accounts with unconstrained delegation and removal where there is no SPN or business requirement | |
| handshake Supports (1) expand_less | ||
| ISM-1649 | E8-RA-ML2.1 requires privileged access to be disabled after 12 months unless revalidated | |
| link Related (1) expand_less | ||
| ISM-1647 | E8-RA-ML2.1 requires privileged access to be disabled after 12 months unless it is revalidated | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.